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1) The Guidelines 10/2020 on restrictions under Article 23 GDPR appear to be generally 
addressed to the European Union (EU) and Member States’ legislators, by providing guidance 
on permissible restrictions of data subject rights and data processing principles under Art. 23 
GDPR. The Guidelines, however, also incorporate guidance directly addressed to data 
controllers (e.g., para 73 and ff.). It is recommended that the EDPB avoids diluting guidance 
for controllers and processors amidst other guidance, and thus identifies more visibly which 
parts or sections or the document are particularly relevant for which actors. 


2) According to the Guidelines’ introduction, one of its key objectives is to clarify ‘how data 
subjects can exercise their rights once the restriction is lifted’ (para. 1). In practice, however, 
very limited consideration is given to the challenges faced by data subjects in exercising their 
rights whenever restrictions are or have been applied, as well as, more broadly, in even being 
aware of the permissible restrictions to their rights that might actually potentially apply, as well 
as the safeguards accompanying such restrictions. This is problematic, as the Guidelines thus 
fail to address some of the most acute problems related to the implementation of Art. 23 GDPR. 


3) The fragmentation enabled by Art. 23 GDPR and the current lack of comprehensive 
information on its implementation leads to legal uncertainty for data subjects when data 
about them are processed, especially when data processing operations have a ‘cross-border’ 
element. Data subjects might not be aware of which restrictions adopted on the basis of Art. 
23 GDPR apply to the processing of data about them in certain circumstances; if a processing 
operation involves more than one Member State, the data subject might be oblivious to the 
legislative measures allowing for restrictions in other Member States, and it might also not be 
clear to them which national law and which national restrictions are actually applicable. This 
can have detrimental consequences for data subjects, who could be confronted to data 
processing operations which have triggered certain restrictions of their rights without them 
even knowing about the existence of a legislative measure allowing for it, or about how to learn 
about such legislative measure and its accompanying safeguards, and this even in cases in 
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which the legal framework of their place of residence, for instance, does not allow for such a 
restriction. 


4) As a matter of fact, the Guidelines do not refer to the fact that this might happen, but they 
also do not openly state that this cannot happen. They just leave this issue unattended. In line 
with the key task of the EDPB, which is to ensure the consistent application of the GDPR, 
it seems an absolute necessity that the Guidelines explicitly elucidate how to deal with 
situations with ‘cross-border’ elements in which, for instance, a data subject is in a Member 
State different from the one of the main establishment of the data controller. In such cases, the 
Member State of the data controller’s main establishment might allow for a restriction that is 
not permitted under the Member State of the data subject’s residence, but such residence might 
however be the decisive factor to determine the applicability of the national laws restricting 
data subjects’ rights in line with the national laws of the latter Member State.> We stress that: 


- If in such cases the permissible restrictions would be those adopted in the legal 
framework of the main establishment of the data controller, the EDPB should give 
special attention to mitigating the limited awareness of data subjects about the rules 
adopted under Art. 23 GDPR in other Member States. 


- If in such cases, on the contrary, the permissible restrictions would not necessarily be 
those of the Member States in which the data controller has its main establishment, but 
perhaps those of the data subject’s residence, or those determined under other criteria, 
this should be clearly explained in the Guidelines. 


In any case, the EDPB should clearly detail which criteria govern the mentioned possible 
conflicts of law insofar as restrictions of data subject rights are concerned, if necessary detailing 
the interaction of Art. 23 GDPR with the EU private international law framework. Absent such 
clarification, the challenges linked to the determination of the applicable law in ‘cross-border’ 
situations will not only seriously limit the effectiveness of data subjects’ rights, but could also 
affect the consistent application of the GDPR. 


5) In practice, currently it is not only difficult to find information on which restrictions might 
apply in cases with ‘cross-border’ elements, but it is also extremely difficult for data subjects 
to find information on which restrictions are permissible in any Member State, including for 
instance their own - the one in which they live, study or work, for instance. We believe the 
EDPB and its members have a key role to play in addressing this problematic situation. 


6) As established by Art. 57(1)(b), it is the task of all Supervisory Authorities (SAs) to promote 
in their own territory public awareness and understanding of data subject rights. In this 
sense, numerous SAs include in their websites a section with general information on such 
rights. It is very rare, however, to find on SAs websites detailed information on permissible 
restrictions on data subject rights — be it, at least, a mere list of the legislative measures that 
detail such permissible restrictions and their accompanying safeguards. The result is ultimately 
confusing, as data subjects might be induced to believe they can indeed exercise certain rights 
also in situations where actually those rights have been, or might be, lawfully restricted. It 
appears therefore necessary that SAs make available to the general public information on the 
relevant legislative measures on which the lawful restriction of their rights might be based. 


> See for example Art. 3(II) of Loi n° 78-17 du 6 janvier 1978 relative a l'informatique, aux fichiers et aux libertés, 
https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/. 





7) Moreover, the EDPB should ensure that such information is accessible for data subjects also 
in relation to processing operations governed by the laws of other Member States, as legislative 
measures of other Member States might — at least presumably, as described above - also be 
relied upon to restrict their rights. For this purpose, the EDPB should list on its own website 
the links leading to information on SAs’ websites on permissible restrictions on data subject 
rights of all Member States. In addition, the EDBP should either directly list on its own website 
or require the European Data Protection Supervisor (EDPS) to provide information on 
permissible restrictions on GDPR data subject rights adopted in EU law. Additionally, 
should be considered the possibility to offer at least a summary of relevant information in 
different languages, so that it is easily accessible for data subjects, controllers and processors 
across the Union. 


8) In relation to the requirements of Art. 23 GDPR, the Guidance should be more specific as 
to whether generic legislative measures, as can be found in certain Member States, are 
allowed. In this respect, the Guidelines currently emphasise that in order for restrictions to be 
lawful they need to be based on a legislative measure, and that this legislative measure should 
‘be sufficiently clear in its terms to give citizens an adequate indication of the circumstances 
in and conditions under which controllers are empowered to resort to any such restrictions ’.® 
Also, they note that ‘a general exclusion of all data subjects' rights with regard to all data 
processing operations as well as a general limitation of the rights mentioned in Article 23 
GDPR of all data subjects for specific data processing operations or with regard to specific 
controllers would not respect the essence of the fundamental right to the protection of personal 
data, as enshrined in the Charter’.’ This begs the question of whether legislative measures that 
allow for restrictions not even limited to specific operations and/or to specific controllers could 
in any circumstance be compatible with the EU Charter of Fundamental Rights. An example 
of this might be found in the approach taken by the Dutch legislator, with the reproduction of 
Art. 23 into national law almost word by word, replacing the words ‘Union or Member State 
law to which the data controller or processor is subject may restrict by way of legislative 
measure...’ with ‘The controller may disregard the obligations and rights...’ .8 This legislative 
measure was introduced as a reaction to the perceived problem that there would be ‘a certain 
tension’ between the fact that it is in many cases not foreseeable for the government when a 
restriction to data subject rights for one of the objectives mentioned in Art. 23(1) is necessary, 
and the fact that Art. 23(2) ‘seems’ to require that precise limits must be set in advance in legal 
regulations regarding the situations in which these interests arise.’ 


9) If the revised Guidelines do not offer unambiguous guidance on the compatibility of such 
approaches with Art. 23 GDPR and with the EU Charter of Fundamental Rights, crucial 
questions will be left unanswered regarding the interpretation of Art. 23 GDPR. This situation 
might favour the persistence of restrictions to data subject rights that are insufficiently 
foreseeable, and which problematically put the main responsibility of conducting a necessity 
and proportionality test as required by Art. 23 GDPR, which belongs in the hands of the 
legislator, solely in the hands of individual controllers. It seems thus necessary for the EDPB 
to provide clearer guidance on this point, fully dissipating existing doubts regarding the 


6 See p. 7. 

7 See p. 6. 

8Art. 41 Uitvoeringswet Algemene verordening gegevensbescherming (UAVG) of May 16th 2018, 
https://wetten.overheid.nl/B WBR0040940/2020-01-01/ . 

? Explanatory Memorandum Uitvoeringswet Algemene verordening gegevensbescherming (UAVG). This 
interpretation of Art. 23 GDPR has not been rejected by the Dutch SA. See: Autoriteit Persoonsgegevens 
(2017), Advies wetsvoorstel Uitvoeringswet Algemene verordening gegevensbescherming, 
https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/advies_uitvoeringswet_avg.pdf, p.13. 








possible lawfulness of the described interpretation of Art. 23 GDPR. More concretely, we 
suggest the EDPB specifically considers stating in the Guidelines that the described type of 
legislative measure cannot be in line with the GDPR and the EU Charter of Fundamental 
Rights. 


10) Summing up, we suggest that in the revised version of the Guidelines the EPDB: 


- visibly identifies which parts or sections or the Guidelines are relevant for which 
actors; 


- clarifies which restrictions might apply in case of data processing operations with 
‘cross-border’ elements and divergent standards; 


- requires all of its members to make publicly available, online, references the 
legislative measures adopted under Art. 23 GDPR which are applicable under their 
respective legal frameworks; 


- commits to offering through the EDPB website a single point of entry to access such 
lists of legislative measures adopted under Art. 23 GDPR; 


- identifies a way of accessing information on EU-level measures that restrict GDPR 
data subject rights under Art. 23 GDPR; 


- dispels doubts on the possible lawfulness of generic legislative measures as described. 


11) On a different matter, Section 8.1 is devoted to the ‘Non-observation of Article 23 GDPR 
requirements by a Member State’. There is no equivalent section on the non-observation of 
Art. 23 GDPR requirements by the EU legislator. The EDPB should provide equally detailed 
information on how it perceives its own role and the role of the European Commission in such 
regard. 


12) In addition, we have the following more specific comments: 


- para. 52 states that when restrictions ‘entail’ special categories of personal data, ‘the 
legislative measure setting such a restriction should mention the special categories 
therein involved’; this guidance should be clarified, as it is unclear when this would 
exactly apply: Does it apply only to the restrictions that are explicitly concerned with 
restricting rights related to processing of special categories of data? In that case, if they 
do refer to special categories of data, it seems superfluous to recommend they should 
‘mention’ them — perhaps what the EDPB would like to put forward is that special 
safeguards must be detailed. Alternatively, is this guidance also supposed to apply when 
a general restriction might eventually restrict rights related to the processing of special 
categories data? In that case, it can be argued that potentially all restrictions might have 
such an impact, so again it is not clear which restrictions should ‘mention’ special 
categories of data, and which would not have to. 


- para. 53 refers to restrictions to ‘confidentiality of communication’ — it is unclear how 
this relates to Art. 23 GDPR. 


